Year 2000 Computing Crisis: Readiness of Medicare and the Health Care Sector

Below is a raw (and likely hideous) rendition of the
original report.
(PDF)

United States General Accounting Office
GAO Testimony
Before the Subcommittee on Oversight and Investigations
and the Subcommittee on Health and Environment,
Committee on Commerce, House of Representatives
For Release on Delivery
Expected at YEAR 2000 COMPUTING
CRISIS
1 p.m.
Tuesday,
April 27, 1999
Readiness of Medicare and
the Health Care Sector
Statement of Joel C. Willemssen
Director, Civil Agencies Information Systems
Accounting and Information Management Division
GAO/T-AIMD-99-160
Messrs. Chairmen and Members of the Subcommittees:
We appreciate the opportunity to join in today's hearing and share
information on the readiness of automated systems that support the
nations delivery of health benefits and services to function reliably without
interruption through the turn of the century. This includes the ability of
Medicare and Medicaid to pay for services to millions of Americans and the
overall readiness of the health care sector, including such key elements as
biomedical equipment used in the delivery of health services. Successful
Year 2000--or Y2K--conversion is critical to these efforts.
We reported in February that while some progress by the Department of
Health and Human Services (HHS) Health Care Financing Administration
(HCFA)and its contractorshad been made in addressing the numerous
recommendations we made last year 1 to improve key HCFA management
practices associated with its Y2K program, many significant challenges
remained. 2 At the time, we also reported that while some progress had
been achieved, many states Medicaid systems were at risk, and much work
remained. 3
Beyond Medicare and Medicaid, the information available on the national
level concerning Y2K readiness throughout the health care sector
including providers, insurers, manufacturers, and suppliersindicates
much work remains in renovating, testing, and implementing compliant
systems. Also, as we recently testified, while information on the
compliance status of biomedical equipment is available through a
clearinghouse maintained by the Food and Drug Administration (FDA), the
test results for this equipment are not reviewed. 4 Finally, information on
the Y2K readiness of pharmaceutical and medical-surgical manufacturers is
incomplete.
1 Medicare Computer Systems: Year 2000 Challenges Put Benefits and Services in Jeopardy
(GAO/AIMD-98-284, September 28, 1998).
2 Year 2000 Computing Crisis: Medicare and the Delivery of Health Services Are at Risk
(GAO/T-AIMD-99-89, February 24, 1999).
3
Year 2000 Computing Crisis: Readiness of State Automated Systems That Support Federal Human
Services Programs (GAO/T-AIMD-99-91, February 24, 1999).
4 See Year 2000 Computing Crisis: Action Needed to Ensure Continued Delivery of Veterans Benefits
and Health Care Services (GAO/T-AIMD-99-136, April 15, 1999).
Page 1 GAO/T-AIMD-99-160
HCFAs Ability to As the nation's largest health care insurer, Medicare expects to process
over a billion claims and pay $288 billion in benefits annually by 2000. The
Process Medicare consequences, then, of its systems' not being Y2K compliant could be
Claims Into the Next enormous. We originally highlighted this concern in May 1997 and made
several recommendations for improvement. 5 Our report of last September
Century warned that although HCFA had made improvements in its Y2K
management, the agency and its contractors were severely behind schedule
in making their computers that process Medicare claims Y2K compliant. In
February, we testified that although HCFA had been responsive to our
recommendations and that its top management was actively engaged in its
Y2K program, its reported progress was highly overstated. We testified that
none of HCFAs 54 external mission-critical systems reported compliant by
HHS as of December 31, 1998, was Y2K ready, based on serious
qualifications identified by the independent verification and validation
(IV&V) contractor. Further, we reported that HCFA continued to face
serious Y2K challenges. Specifically, HCFA
 lacked an overall schedule and critical path to identify and rank Y2K
tasks to help ensure that they could be completed in a timely manner;
 needed a formal risk management process to highlight potential
technical and managerial weaknesses that could impair project success;
 continued to have thousands of electronic data exchanges that were not
Y2K compliant;
 faced a significant amount of testing in 1999, especially since changes
will continue to be made to its mission-critical systems to make them
compliant; and
 needed to sustain its efforts to complete and test business continuity
and contingency plans to ensure that Medicare claims will be processed
next year.
The Office of Management and Budget (OMB) also continues to be
concerned about HCFAs progress. In its March 18, 1999, summary of Y2K
progress reports of all agencies for the reporting quarter ending February
12, 1999, it concluded that HCFA remains a serious concern due to external
systems testing, implementation schedules, and the qualified compliance of
a number of external mission-critical systems. OMB further stated that
although Medicare contractors had been making an intensive effort to
5 Medicare Transaction System: Success Depends Upon Correcting Critical Managerial and Technical
Weaknesses (GAO/AIMD-97-78, May 16, 1997).
Page 2 GAO/T-AIMD-99-160
complete validation and implementation by the governmentwide deadline
of March 31, 1999, some external contractors may not succeed. Due in
large part to HCFAs status, OMB designated HHS as a tier 1 agency on its
three-tiered rating scale, meaning it had made insufficient progress in
addressing the Y2K problem.
HCFAs Actions to Achieve HCFA has been responsive to our recommendations. To more effectively
Compliance and Bolster
identify and manage risks, HCFA is relying on multiple sources of
information, including test reports, reports from its IV&V contractors, and
Outreach Efforts to
weekly status reports from its recently established contractor oversight
Medicare Providers
teams. In addition, HCFA has stationed staff at critical contractor sites to
assess the data being reported and to identify problems.
HCFA also is more effectively managing its electronic data exchanges. It
issued instructions to its contractors (fiscal intermediaries and carriers) to
inform providers and suppliers that they had to begin submitting Medicare
claims in Y2K-compliant data exchange format by April 5 of this year.
HCFA now reports that 93 percent of the fiscal intermediaries and 99
percent of the carriers are complying. HCFA also established new
instructions for contractors to report on data exchanges, and created a new
database to track status.
HCFA continues to further define its testing procedures. It required that
existing qualifications be addressed and tested by March 31, 1999. It also
issued instructionson January 11, 1999for all contractors to recertify
their systems from July 1 to November 1, 1999. To more clearly define this
testing, HCFA issued additional recertification and end-to-end testing
guidance on March 10, 1999.
HCFA has also begun to use several Y2K-analysis tools to measure testing
thoroughness, and its IV&V contractor is assessing test adequacy of the
external systems (e.g., test coverage and documentation). In addition to
the IV&V contractors efforts, HCFA has engaged a separate contractor to
conduct independent tests on some of its mission-critical systems. HCFA
further plans to perform end-to-end testing with its Y2K-compliant test
sites. These end-to-end tests are to include all internal systems and
contractor systems; however, they will not include testing with banks and
providers.
Another area in which HCFA has demonstrated progress is developing
business continuity and contingency plans to ensure that, no matter what,
Page 3 GAO/T-AIMD-99-160
beneficiaries will receive care and providers will be paid. HCFA
established cross-organizational workgroups to develop contingency plans
for the following core business functions: health plan and provider
payment, eligibility and enrollment issues, program integrity, managed
care, quality of care, litigation, and telecommunications. HCFAs fourth and
final iteration of this plan was issued on April 1, 1999, and the plan is
expected to be tested by June 30.
HCFA has continued to strengthen its outreach efforts to the providers of
Medicare services. On January 12, 1999, the Administrator sent individual
letters to over 1.3 million Medicare providers in the United States, alerting
them to take prompt Y2K action on their information and billing systems.
Three days later, the Administrator sent a letter to Congress, with
assurances that HCFA is making progress and stressing that physicians,
hospitals, and other providers must also meet the Y2K challenge. HCFA
also offered to provide speakers in local congressional districts, is holding
a series of conferences throughout the country, and has established a toll-
free information hotline.
Reported Status of HCFAs HCFA operates and maintains 25 internal mission-critical systems; it also
Mission-Critical Systems
relies on 75 external mission-critical systems operated by contractors
throughout the country who process Medicare claims. These external
systems include six standard processing systems and the Common
Working File. Each contractor relies on one of these standard systems to
process its claims, and adds its own front-end and back-end processing
systems. The Common Working File is a set of databases located at nine
sites that works with internal and external systems to authorize claims
payments and determine beneficiary eligibility.
In HHS latest Y2K quarterly progress report to OMB, dated February 10,
it reported that as of December 31, 1998, all 25 of HCFAs internal mission-
critical systems were reported to be compliant, as were 54 of the external
systems. Yet as we testified in February, none of these 54 systems was Y2K
ready because all had important associated qualifications (exceptions),
some of them significant. 6 HCFA issued a memorandum in early January
requesting Medicare carriers and fiscal intermediaries to resolve these
qualifications by March 31, the federal target date for Y2K compliance.
HCFA reported to us on April 19, 1999, that most of these qualifications
6 GAO/T-AIMD-99-89, February 24, 1999.
Page 4 GAO/T-AIMD-99-160
have been resolved and that 73 of 75 external systems are now compliant
(the total number of external mission-critical systems decreased from 78 to
75 because three contractors plan to leave the Medicare program before
the end of the year).
HCFAs IV&V contractors analysis of the qualifications was consistent with
what HCFA reported to us. Specifically, the IV&V contractors analysis of
the 53 external systems concluded that 19 had no remaining qualifications,
33 had qualifications it deemed low impact (i.e., could be addressed
within the next 3 months or would have a minor impact on the sites ability
to meet Medicare requirements), and 1 had qualifications deemed critical.
The IV&V contractor recommended that all qualifications be resolved by
June 28, 1999, so that HCFAs final testing of its mission-critical systems
could begin on July 1, 1999, with no open qualifications.
Despite Reported The HCFA mission-critical systems that have been characterized as Y2K
Compliance, HCFAs
compliant are not, however, the final systems that will be processing
Medicare claims on January 1, 2000. These systems will undergo a
Mission-Critical Systems
significant amount of change between now and July 1, 1999, for both Y2K
Still Require Additional Y2K
and other reasons. These changes will require a complete retest to ensure
Renovation and Testing that the systems have not been contaminated by the changes and that they
still are indeed Y2K compliant.
Specifically, these changes will address (1) outstanding qualifications,
(2) additional Y2K changes, (3) a critical software release of the Common
Working File, and (4) legislative mandates. 7 In addition to the changes
required to address outstanding qualifications, changes are also occurring
because of other compliance issues not listed as qualifications. For
example, three standard system maintainers are currently updating their
systems because the earlier renovation was performed with noncompliant
compilers. 8 Each of these three upgrades is scheduled to be completed by
July 1999. In addition, analyses using tools that determine the Y2K
readiness of software code are uncovering additional Y2K programming
errors. For example, 28 programming errors were recently identified using
a Y2K tool on the Florida standard system. These errors are to be
7
These legislative mandates include software changes required to implement new policies for the
Balanced Budget Act of 1997, such as hospice updates and Medicare+Choice.
8A compiler is a computer program that converts human-readable source code into a sequence of
machine instructions that the computer can run.
Page 5 GAO/T-AIMD-99-160
corrected and tested by June 1999. According to HCFA officials, such
errors were uncovered based on an inspection of only about one-seventh of
the software code associated with the Florida standard system. If time
permits, HCFA is considering using this Y2K tool on 100 percent of the code
on all of the standard systems.
In addition to these Y2K-related changes, HCFA is planning a major
software release of the Common Working File in late June, and legislatively
mandated changes are to occur through June. HCFA plans to conduct final
tests of its systems between July 1 and November 1, 1999, then recertify all
mission-critical systems as compliant without qualification or exception.
These final tests will ultimately determine whether HCFAs mission-critical
systems are Y2K compliant. The late 1999 time frames associated with this
testing represent a high degree of risk.
Other Critical Risks and Testing is a critical area in which HCFA faces significant challenges.
Challenges Remain
Complete and thorough testing is essential to providing reasonable
assurance that new or modified systems will process dates correctly and
will not jeopardize an organizations ability to perform core business
operations. Because the Y2K problem is so pervasive, potentially affecting
an organizations systems software, applications software, databases,
hardware, firmware, embedded processors, telecommunications, and
interfaces, the requisite testing can be extensive and expensive.
Experience is showing that Y2K testing is consuming between 50 and 70
percent of a Y2K projects time and resources. According to our guide, to
be done effectively, testing should be planned and conducted in a
structured and disciplined fashion. 9
To date, HCFAs testing of its external systems has not been rigorous.
HCFAs IV&V contractor has reported concerns with test documentation,
readiness, and coverage associated with HCFAs external mission-critical
systems. Specifically, the IV&V contractor reported that the quality of test
documentation has been found to be incomplete and inadequate during a
significant number of site visits. In addition, the results of using a Y2K tool
to assess renovation quality and test readiness on each of the standard
systems revealed that both indicators are primarily rated in the low to
medium ranges, meaning that errors exist that could cause Y2K-related
system failures.
9 Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, November 1998).
Page 6 GAO/T-AIMD-99-160
The IV&V contractor also reported that HCFAs contractors have no
satisfactory mechanism for determining the quality of test coverage (e.g.,
systems functionality, HCFA-mandated dates, interface coverage)
associated with the self-certification testing. Because of this, HCFA issued
instructions on April 9, 1999, that required contractors to submit
information on the functionality covered by their test cases. Until test
coverage is determined and testing is fully executed, the quality of the
testing conducted will remain unknown.
In addition, two standard system maintainers did not test with the Common
Working File, rather, they used a system that simulates the functions
performed by the Common Working File. Testing with a system that
simulates the Common Working File is less than ideal since the simulated
system is not identical to the actual system. HCFA has acknowledged this
and plans to have these two standard system maintainers test with the
Common Working File during the recertification testing.
Further, testing has not been completed in the optimal sequence to ensure
compliance of all systems. Since each contractor relies on one of the six
standard systems to process its claims, ideally each of these six standard
systems should have been completely tested before the contractors tested
their front-end and back-end processing systems with their respective
standard systems. However, only the Florida standard system maintainer
completed future-date testing before the system was provided to its
29 contractors. Thus, more than half of the contractors tested with
standard systems that had not completed Y2K testing. Managing multiple
testing baselines and ensuring that corrections to one systems testing
errors does not lead to problems in another system is a major challenge.
In September 1998 we recommended that HCFA rank its remaining Y2K
work on the basis of a schedule that includes milestones for renovation and
testing of all systems, and that it include time for end-to-end testing and
development and testing of business continuity and contingency plans. 10
Such a schedule is extremely important because of the number of systems,
their complexity, and interdependencies among them. However, HCFA still
lacks an integrated schedule. The complexity and required sequencing of
the 75 external and 25 internal systems associated with the recertification
requires an integrated testing schedule to avoid scheduling constraints.
For example, the Common Working File and standard systems should be
10 GAO/AIMD-98-284, September 28, 1998.
Page 7 GAO/T-AIMD-99-160
tested initially so that the contractors can test with fully compliant
systems. Without an integrated schedule, HCFA cannot effectively
prioritize remaining work or ensure that all Y2K testing will be completed
on time.
HCFAs late start and the limited time remaining raises risks that the
recertification testing will likewise not be as rigorous as necessary. Two
areas already have us concernedtesting overlap and a decrease in the
number of future dates that will be tested. HCFA officials told us that
contractors will begin to test with the Common Working File before it is
completely Y2K-tested. Ideally, these tests should be done sequentially so
that each contractor can test with a fully Y2K-tested Common Working File.
Also, although HCFAs recertification will test four future dates, two more
than the self-certification testing, this total is fewer than what HCFA had
originally planned. Initially, HCFA planned to test with nine future dates.
In addition to such individual systems testing, HCFA must also test its
systems end-to-end to verify that defined sets of interrelated systems,
which collectively support an organizational core business function, will
work as intended. As mentioned, HCFA plans to perform this end-to-end
testing with its Y2K-test sites. These tests are to include all internal
systems and contractor systems, but will not include testing with banks
and providers. HCFA has required its contractors to future-date test with
providers and financial institutions. Even excluding banks and providers,
end-to-end testing of HCFAs internal and external systems is a massive
undertaking that will need to be effectively planned and carried out. HCFA
has not yet, however, developed a detailed end-to-end test plan that
explains how these tests will be conducted or that provides a detailed
schedule for conducting them.
A final aspect of testing concerns the independent testing contractor.
HCFA expects this testing to be completed by August 31. This contractor
currently plans to test eight internal systems and the six external standard
systems. Originally, all 25 internal mission-critical systems were to be
tested. In addition, because of the changing nature of the Medicare
systems and the limited remaining time, the independent testing will be
conducted with systems that were available January 1999, not with the
exact systems that will be operating on January 1, 2000.
HCFA also faces risks because it has thousands of data exchanges that are
not yet compliant. HCFAs systemsboth internal and externalexchange
data, both among themselves and with the Common Working File, other
Page 8 GAO/T-AIMD-99-160
federal agencies, banks, and providers. Accordingly, it is important that
HCFA ensure that Y2K-related errors will not be introduced into the
Medicare program through these data exchanges. HCFAs total number of
data exchanges dropped significantly since February 10, 1999. The number
of internal data exchanges declined from 7,968 to 3,209, while the number
of external data exchanges dropped from 255,383 to 141,866. HCFA
officials attributed this decrease to performing a major cleanup of the
data. As of April 9, 1999, HCFA reported that only four of its 3,209 internal
data exchanges were still not compliant, and that over 3,000 of its 141,866
external data exchanges were not compliant. To ensure that HCFAs
internal and external systems are capable of exchanging data between
themselves as well as with other federal agencies, banks, and providers, it
is essential that HCFA take steps to resolve the remaining noncompliance
of these data exchanges.
Given the magnitude of HCFAs Y2K problem and the many challenges that
continue to face it, the development of contingency plans to ensure
continuity of critical operations and business processes is absolutely
critical. Therefore, HCFA must sustain its efforts to complete and test its
agencywide business continuity and contingency plans by June 30.
Another challenge for HCFA is monitoring the progress of the 62 separate
business continuity and contingency plans that will be submitted by its
contractors. We will continue to monitor progress in this area.
Other issues that further complicate HCFAs Y2K challenge are planned
October 1, 1999, and January 1, 2000, provider payment updates; the known
and unknown contractor transitions that are to take place before January 1,
2000; and the unknown status of the managed care organizations serving
Medicare beneficiaries. We have requested detailed information on the
specific changes that the October 1 and January 1 updates will require to
determine the amount of testing that will be necessary after these changes
are made. HCFA already is faced with too much to test in too little time,
and these updates further contribute to already monumental testing
challenges.
As reported in HHS quarterly submission to OMB, HCFA is concerned
about the possibility of Medicare contractors, fiscal intermediaries, and
carriers leaving the program and notifying HCFA of this after June. If this
were to occur, the workload would have to be transferred to another
contractor whose Y2K-compliance status may not be known. According to
both contractor and HCFA officials, it requires 6-12 months to transfer the
claims processing workload from one contractor to another. At present,
Page 9 GAO/T-AIMD-99-160
HCFA is transitioning the work of the three contractors that are leaving the
program.
HCFA required the 386 managed care organizations currently serving
6.6 million Medicare beneficiaries to certify their systems as Y2K compliant
by April 15. As of April 21, 1999, HCFA had received certifications from
315 of the organizations. Similar to fee-for-service contractors, 271 of the
315 certifications contained qualifications. We plan to review these
certifications as part of our ongoing work for the Senate Special Committee
on Aging to determine whether the managed care organizations systems
are Y2K compliant and whether a formal recertification would have to be
performed later this year.
Medicaid Systems Are Similar to Medicare, the systems supporting the Medicaid program also
face Y2K challenges and risk. In fiscal year 1997, Medicaida joint
at Risk federal-state program supported by HCFA and administered by the states
provided about $160 billion to millions of recipients. Medicaid provides
health coverage for 36 million low-income people, including over 17 million
children. Its beneficiaries also include elderly, blind, and disabled
individuals.
In surveying states Y2K status last summer, 11 we found that many systems
were at risk and much work remained to ensure the continuation of
services. The states reported compliance rate for Medicaid systems was
only about 16 percent, and 18 states reported that they had completed
renovating one quarter or fewer of their Medicaid claims processing
systems. These 18 states had Medicaid expenditures of about $40 billion in
fiscal year 1997one quarter of total Medicaid expenditures nationwide,
covering about 9.5 million recipients.
In response, HCFA administered two state self-reported surveys and
conducted several on-site visits and found that overall state Medicaid
systems status had improved little. To obtain more reliable Y2K state
Medicaid status information, HCFA also hired a contractor to conduct
independent verification and validation of states systems.
11 Year 2000 Computing Crisis: Readiness of State Automation Systems to Support Federal Welfare
Programs (GAO/AIMD-99-28, November 6, 1998). We sent a survey to the 50 states, the District of
Columbia, and three territories (Guam, Puerto Rico, and the Virgin Islands). All but 1 of the 54 entities
surveyed responded.
Page 10 GAO/T-AIMD-99-160
HCFA reported in HHS February 1999 quarterly report to OMB that based
on seven site visits, some of the dates that states had reported to us in
July/August 1998 had already slipped, underscoring the need for on-site
visits to secure more accurate information. In addition, according to
HCFA, while four states appeared to have made some progress in the
6 months since our survey, three states status remained the same. Further,
HCFA found that one states Medicaid eligibility system was not as far along
as the state had reported in our survey. To assist states with their effort,
HCFAs IV&V contractor plans to make on-site visits to all 50 states and the
District of Columbia by the end of this April. For states considered at risk,
HCFA will conduct second site visits between May and September 1999
and, if necessary, third visits between October and December 1999. The
later visits will emphasize contingency planning to help the states ensure
continuity of program operations in the event of systems failures.
Y2K Readiness of the At this point, I would like to broaden our discussion to the Y2K-readiness
status of the health care sector, including biomedical equipment 12 and
Health Care Sector: pharmaceutical and medical-surgical products used in the delivery of
Much Work Remains health care. While it is undeniably important that Medicare and Medicaid
systems be compliant so that the claims of health care providers and
beneficiaries can be paid, it is also critical that the services and products
associated with health care delivery itself be Y2K compliant. However,
with just over 8 months until the turn of the century, the level of progress to
date is not reassuring.
Virtually everything in todays hospital is automatedfrom the scheduling
of procedures such as surgery, to the ordering of medication such as insulin
for a diabetic patient, to the use of portable devices as diverse as heart
defibrillators and thermometers. It, therefore, becomes increasingly
important for health care providers such as doctors and hospitals to assess
their health information systems, facility systems (such as heating,
ventilating, and air conditioning equipment), and biomedical equipment to
ensure their continued operation on January 1, 2000. Similarly,
pharmaceutical manufacturers and suppliers that rely heavily on computer
systems for the manufacture and distribution of drugs must assess their
processes for compliance. Given the large degree of interdependence
among components of the health sectorproviders, suppliers, insurance
12 Biomedical equipment refers to both medical devices regulated by the Food and Drug Administration
(FDA), and scientific and research instruments, which are not subject to FDA regulation.
Page 11 GAO/T-AIMD-99-160
carriers, and patients/consumersthe availability and sharing of Y2K
readiness information is vital to safe, efficient, and effective health care
delivery.
In response to an October 1998 request from the Chair of the Presidents
Council on Year 2000 Conversion, several federal agencies and professional
health care associations surveyed key components of the health care
sector. Accordingly, the amount of readiness information on this sector has
increased in recent months. The survey results, however, indicate that
much work still remains in renovating, testing, and implementing
compliant systems. Further, readiness information on the health sector is
still incomplete because a significant number of sector members did not
respond to the surveys.
According to a survey that the American Hospital Association (AHA) sent
to 2,000 of its members in February 1999, much work remains. For
example, based on the 583 responses received as of March 1, 1999, the
hospitals reported that only about 6 percent of the medical devices,
13 percent of information systems, and 24 percent of physical plant/
infrastructure are compliant. However, most hospitals indicated that they
expect to be compliant by the end of the year. 13
The American Medical Associations (AMA) survey to 7,000 physicians
showed that approximately 47 percent of the 522 physicians that responded
by mail or telephone indicated that they do not have a good understanding
of Y2K conversion, and have practices that are not Y2K ready. Almost all of
these physicians reported that they would be ready by the end of the year.
The survey disclosed no difference between the Y2K preparedness of large
physician groups and solo or small physician groups (10 physicians or
fewer). However, AMA stated that caution should be taken in interpreting
the survey results due to the low response rate.
According to responses received to a December 1998 survey sent by HHS
Office of the Inspector General to a sample of 5,000 Medicare providers
1,000 each to hospitals, nursing homes, durable medical device
manufacturers, physicians, and home health agenciesexcept for
hospitals, providers reported making limited progress in assessing their
biomedical equipment for Y2K compliance. All providers reported making
13 Compliance refers to the hospitals information systems, medical devices, and physical plant/
infrastructure.
Page 12 GAO/T-AIMD-99-160
limited progress in testing data exchanges between their computers and
external vendors, and developing emergency backup plans in case of
computer failures. Further, many Medicare providers did not respond to
this survey. For example, the response rates for medical device
manufacturers, physicians, and home health agencies were less than
30 percent.
A survey sent by the Association of State and Territorial Health Officials
and the Centers for Disease Control and Prevention (CDC) to 57 state and
territorial health officials in December 1998 showed that two thirds of the
29 respondents did not have contingency plans. CDC is also concerned
about the lack of readiness information on local public health agencies.
Finally, according to the second quarterly report by the Presidents Council
on Year 2000 Conversion, the health care sector has not made adequate
progress in addressing the Y2K problem. 14 The report stated that while
recent surveys indicate that health care providers have a high level of
confidence that they will complete much of the work on mission-critical
systems before the end of the year, the actual number of systems made
compliant to date is relatively low in areas from recordkeeping to
infrastructure. The report noted that recordkeeping systems are of great
concern because they play an essential role in processing payment claims
to insurance companies and government health agencies.
Biomedical Equipment: The question of whether medical devices such as magnetic resonance
Status Information Available
imaging (MRI) systems, x-ray machines, pacemakers, and cardiac monitors
can be counted on to work reliably on and after January 1, 2000, is critical
for Many Items, but Test
to medical care delivery. To the extent that biomedical equipment uses
Results Not Reviewed
embedded computer chips, it is vulnerable to the Y2K problem.
Such vulnerability carries with it possible safety risks. This could range
from the more benignsuch as incorrect formatting of a printoutto the
most serioussuch as incorrect operation of equipment with the potential
to adversely affect the patient. The degree of risk depends in large part on
the role the equipment plays in a patients care.
14 The Presidents Council on Year 2000 Conversion: Second Summary of Assessment Information,
April 21, 1999.
Page 13 GAO/T-AIMD-99-160
Responsibility for oversight and regulation of medical devices, including
the impact of the Y2K problem, lies with FDA. Last September we testified
that FDA, like the Veterans Health Administration (VHA)a key federal
health care providerwas trying to determine the Y2K compliance status
of biomedical equipment. 15 FDAs goal was to provide a comprehensive,
centralized source of information on the Y2K compliance status of
biomedical equipment used in the United States and to make this
information publicly available on a web site. However, at the time, FDA
had a disappointing response rate from manufacturers to its letter
requesting compliance information. And, while FDA made this information
available to the public, it was not detailed enough to be useful. Specifically,
FDAs list of compliant equipment lacked information relating to the
particular make and model of the equipment.
To provide more detailed information on the compliance status of
biomedical equipment, as well as to integrate more detailed compliance
information gathered by VHA, we recommended that VA and HHS jointly
develop a single data clearinghouse that provides such information to all
users. We said development of the clearinghouse should involve
representatives from the health care industry, such as the Department of
Defenses Health Affairs and the Health Industry Manufacturers
Association. In addition, we recommended that the clearinghouse contain
such information as (1) the compliance status of all biomedical equipment
by make and model, and (2) the identity of manufacturers that are no
longer in business. We also recommended that VHA and FDA determine
what actions should be taken regarding biomedical equipment
manufacturers that have not provided compliance information.
In response to our recommendation, FDAin conjunction with VHAhas
established the Federal Year 2000 Biomedical Equipment Clearinghouse.
With the assistance of VHA, the Department of Defense, and the Health
Industry Manufacturers Association, FDA has made progress in obtaining
compliance-status information from manufacturers. For example,
according to FDA, 4,251 biomedical equipment manufacturers had
submitted data to the clearinghouse as of April 5, 1999. As shown in figure
1, about 54 percent of the manufacturers reported having products that do
not employ a date, while about 16 percent reported having date-related
15 Year 2000 Computing Crisis: Leadership Needed to Collect and Disseminate Critical Biomedical
Equipment Information (GAO/T-AIMD-98-310, September 24, 1998).
Page 14 GAO/T-AIMD-99-160
problems such as incorrect display of date/time. FDA is still awaiting
responses from 399 manufacturers.
Figure 1: Biomedical Equipment Compliance-Status Information Reported to FDA by
Manufacturers as of April 5, 1999
2,500
2,299
2,000
1,500
Number of
manufacturers
1,000 880
669
500 403
0
ot ing te-
d
rte ite
on p loy da po eb s
d h e
ts date em nt wit lems
r w
us ’s
uc ts plia ts
rod oy a c
du com d u c p ro b s tat urer
P pl ro o t t
em l p a re Pr ated uc fac
l
re l od u
A te Pr man
da in
Note: Total number of manufacturers = 4,251.
Source: FDA.
FDA has also expanded the information in the clearinghouse. For example,
users can now find information on manufacturers that have merged with or
have been bought out by other firms.
In collaboration with the National Patient Safety Partnership, 16 FDA is in
the process of obtaining more detailed information from manufacturers on
noncompliant products, such as make and model and descriptions of the
16 The National Patient Safety Partnership is a coalition of public and private health care providers,
including VA, the American Medical Association, the American Hospital Association, the American
Nurses Association, and the Joint Commission on Accreditation of Healthcare Organizations.
Page 15 GAO/T-AIMD-99-160
impact of the Y2K problem on products left uncorrected. For example,
FDA sent a March 29, 1999, letter requesting that medical device
manufacturers submit to the clearinghouse a complete list of individual
product models that are Y2K compliant.
We reported last September that VHA and FDA relied on manufacturers to
validate, test, and certify that equipment is Y2K compliant. 17 We also
reported that there was no assurance that the manufacturers adequately
addressed the Y2K problem for noncompliant equipment, because FDA did
not require medical device manufacturers to submit test results to it
certifying compliance. Accordingly, we recommended that VA and HHS
take prudent steps to jointly review manufacturers compliance test results
for critical care/life support biomedical equipment. We were especially
concerned that VA and FDA review test results for equipment previously
determined to be noncompliant but now deemed by manufacturers to be
compliant, or equipment for which concerns about compliance remain. We
also recommended that VA and HHS determine what legislative, regulatory,
or other changes were necessary to obtain assurances that the
manufacturers equipment was compliant, including the need to perform
independent verification and validation of the manufacturers
certifications.
At the time, VA stated that it had no legislative or regulatory authority to
implement the recommendation to review test results from manufacturers.
In its response, HHS stated that it did not concur with our recommendation
to review test results supporting medical device equipment manufacturers
certifications that their equipment is compliant. It said that the submission
of appropriate certifications of compliance was sufficient to ensure that the
certifying manufacturers equipment was compliant. HHS also stated that
it did not have the resources to undertake such a review, yet we are not
aware of HHS requesting resources from the Congress for this purpose.
More recently, VHAs Chief Biomedical Engineer told us that VHA medical
facilities are not requesting test results for critical care/life support
biomedical equipment; they also are not currently reviewing the test results
available on manufacturers web sites. He said that VHAs priority is
determining the compliance status of its biomedical equipment inventory
and replacing noncompliant equipment. The director of FDAs Division of
17 GAO/AIMD-98-240, September 18, 1998.
Page 16 GAO/T-AIMD-99-160
Electronics and Computer Science likewise said FDA sees no need to
question manufacturers certifications.
In contrast to VHAs and FDAs positions, some hospitals in the private
sector believe that testing biomedical equipment is necessary to prove that
they have exercised due diligence in the protection of patient health and
safety. Officials at three hospitals told us that their biomedical engineers
established their own test programs for biomedical equipment, and in many
cases contacted the manufacturers for their test protocols. Several of
these engineers informed us that their testing identified some
noncompliant equipment that the manufacturers had previously certified as
compliant. According to these engineers, to date, the equipment found to
be noncompliant all had display problems and was not critical care/life
support equipment. We were told that equipment found to be incorrectly
certified as compliant included a cardiac catheterization unit, a pulse
oxymeter, medical imaging equipment, and ultrasound equipment.
VHA, FDA, and the Emergency Care Research Institute 18 continue to
believe that manufacturers are best qualified to analyze embedded systems
or software to determine Y2K compliance. They further believe that
manufacturers are the ones with full access to all design and operating
parameters contained in the internal software or embedded chips in the
equipment. VHA believes that such testing can potentially cause
irreparable damage to expensive health care equipment, causing it to lock
up or otherwise cease functioning. Further, a number of manufacturers
also have recommended that users not conduct verification and validation
testing.
We continue to believe that, rather than relying solely on manufacturers'
certifications, organizations such as VHA or FDA can provide users of
biomedical equipment with a greater level of confidence that the equipment
is Y2K compliant through independent reviews of manufacturers
compliance test results. The question of whether to independently verify
and validate biomedical equipment that manufacturers have certified as
compliant is one that must be addressed jointly by medical facilities
clinical staff, biomedical engineers, and corporate management. The
overriding criterion should be ensuring patient health and safety.
18 An international, nonprofit health services research agency. This organization believes that
superficial testing of biomedical equipment by users may provide false assurances, as well as create
legal liability exposure for health care institutions.
Page 17 GAO/T-AIMD-99-160
Y2K-Readiness Information Another question critical to the delivery of health care is knowing whether
on Pharmaceutical and
there will be sufficient supplies of pharmaceutical and medical-surgical
products available for consumers at the turn of the century. As the largest
Medical-Surgical
centrally directed civilian health care system in the United States, VHA has
Manufacturers Is
taken a leadership role in the federal government in determining whether
Incomplete manufacturers supplying these products are Y2K-ready. This information is
essential to VHAs medical operations because of its just-in-time 19
inventory policy. Accordingly, VHA must know whether its manufacturers
processes, which are highly automated, 20 are at risk, as well as whether the
rest of the supply chain will function properly.
To determine the Y2K readiness of its suppliers, VAs National Acquisition
Center (NAC) 21 sent a survey on January 8, 1999, to 384 pharmaceutical
firms and 459 medical-surgical firms with which it does business. The
survey contained questions on the firms overall Y2K status and inquired
about actions taken to assess, inventory, and plan for any perceived impact
that the century turnover would have on their ability to operate at normal
levels. In addition, the firms were requested to provide status information
on progress made to become Y2K compliant and a reliable estimated date
when compliance will be achieved for business processes such as
(1) ordering and receipt of raw materials, (2) mixing and processing
product, (3) completing final product processing, (4) packaging and
labeling product, and (5) distributing finished product to distributors/
wholesalers and end customers.
According to NAC officials, of the 455 firms that responded to the survey as
of March 31, 1999, about 55 percent completed all or part of the survey. The
remainder provided either general information on their Y2K readiness
status or literature 22 on their efforts. As shown in table 1, more than half of
the pharmaceutical firms surveyed responded (52 percent), with just less
than one third (32 percent) of those respondents reporting that they are
19 This term refers to maintaining a limited inventory on hand.
20 Pharmaceutical manufacturers rely on automated systems for production, packaging, and distribution
of their products, as well as for ordering raw materials and supplies.
21 This organization is responsible for supporting VHAs health care delivery system by providing an
acquisition program for items such as medical, dental, and surgical supplies and equipment;
pharmaceuticals; and chemicals. NAC is part of VA's Office of Acquisition and Materiel Management.
22 This includes annual and quarterly financial reports required by the Securities and Exchange
Commission for companies listed on the New York Stock Exchange.
Page 18 GAO/T-AIMD-99-160
compliant. The table also shows that 54 percent of the medical-surgical
firms surveyed responded, with about two-thirds of them (166) reporting
that they are Y2K compliant.
Table 1: Status of Companies Surveyed by VHA as of March 31, 1999
Responses Pharmaceutical Medical-surgical
Y2K compliant 65 166
Will be compliant by 1/1/2000 or earliera 90 70
Provided no compliant date 50 14
Total number of responses 205 250
Non-responses 179 209
Total number of firms surveyed 384 459
aEstimatedcompliance status ranged from 3/31/99 through 1/1/2000; about 71 percent of
pharmaceutical firms and 80 percent of medical-surgical firms estimated they will be compliant by
7/31/99. One firm responded that it will be compliant by 1/1/2000.
Source: VA. We did not independently verify these data.
On March 17, 1999, NAC sent a second letter to its pharmaceutical and
medical-surgical firms, informing them of VAs plans to make Y2K readiness
information previously provided to VA available to the public through a
web site ( www.va.gov/oa&mm/nac/y2k ). VA made the survey results
available on its web site on April 13, 1999. The letter also requested that
manufacturers that had not previously responded provide information on
their readiness. NACs Executive Director said that he would personally
contact any major VA supplier that does not respond.
On a broader level, VHA has taken a leadership role in obtaining and
sharing information on the Y2K readiness of the pharmaceutical industry.
Specifically, VHA chairs the Year 2000 Pharmaceuticals Acquisitions and
Distributions Subcommittee, which reports to the Chair of the Presidents
Council on Year 2000 Conversion. The purpose of this subcommittee is to
bring together federal and pharmaceutical representatives to address
issues concerning supply and distribution as it relates to the year 2000. The
subcommittee consists of FDA; federal health care providers; industry
trade associations such as the Pharmaceutical Research and Manufacturers
of America (PhRMA), Generic Pharmaceutical Industry Association, the
National Association of Chain Drug Stores, and the National Wholesale
Druggists Association; and consumer advocates.
Page 19 GAO/T-AIMD-99-160
In response to the Chairs request for Y2K-readiness information on the
pharmaceutical industry, several of these trade associations, representing
both brand name and generic pharmaceutical manufacturers, have
surveyed their members on this issue. Table 2 summarizes the survey
results available to date.
Table 2: Summary of Y2K Readiness Survey Results From Pharmaceutical
Manufacturers
Number of
Industry trade members Number of
association surveyed responses Summary of results
a
Pharmaceutical 25 24 All respondents have Y2K plans and
Research and are developing contingency plans to
Manufacturers of ensure continuous supply of
America (PhRMA) medicines to patients. Respondents
expect to collectively spend $1.75
billion to address the Y2K problem.
Most repair work is expected to be
completed in early to mid-1999.
Generic 16b 14 All respondents have Y2K plans and
Pharmaceutical individually expect to spend no more
Industry Association than $1.5 million on the Y2K problem.
(GPIA) Most repair work is expected to be
completed in June or July 1999.
National Association 12 7 Most respondents have Y2K plans.
of Pharmaceutical
Manufacturers
(NAPM)
Association of 41c 41 All respondents have Y2K plans.
Military Surgeons of Respondents are spending from $2
the U.S. (AMSUS) million to $70 million on the Y2K
problem. All repair work is expected
to be completed by June 30, 1999.
aThese members constitute more than 90 percent of the industry capacity represented by PhRMA,
which represents more than 95 percent of the research-based pharmaceutical manufacturers in the
United States.
bThis number only represents those members that are generic pharmaceutical manufacturers.
c
Of the members surveyed, 24 are also members of PhRMA and 22 of these participated in the
PhRMA survey.
Source: Associations listed. We did not independently verify these data.
In addition, the National Wholesale Druggists Association sent a survey to
240 of its associate members that are pharmaceutical manufacturers
requesting information on patient stockpiling of pharmaceutical products.
Three quarters of the 77 members responding as of November 1998 said
Page 20 GAO/T-AIMD-99-160
they could currently fill orders which will provide patients with a 3-month
supply. Less than 20 percent of the respondents said they could provide a
1-year supply. Finally, in January 1999, the National Association of Chain
Drug Stores sent a survey to over 130 of its members and received
responses from about 25 percent. These respondents indicated that they
will finish Y2K renovations by September 30, 1999, and two-thirds of the
respondents have developed contingency plans.
Based on their survey results, these industry trade associations believe that
computer systems and software application problems will not substantially
impede the ability of the supply chain to maintain an uninterrupted flow of
medicines. However, in contrast to VHAs survey, the associations surveys
were provided in summary format and did not contain detailed information
on the Y2K readiness of specific manufacturers or members of the supply
chain. This information is necessary if consumers are to have confidence
that there will be a sufficient supply of medications on hand at the turn of
the century.
FDAs Y2K Efforts for FDAs oversight and regulatory responsibility for pharmaceutical and
Pharmaceutical and
biological products 23 is to ensure that they are safe and effective for their
intended uses. Because of its concern about the Y2K impact on
Biological Products
manufacturers of these products, FDA has taken several actions to raise
Industries Focused Initially
the Y2K awareness of the pharmaceutical and biological products
on Awareness industries. In addition, it is thinking about conducting a survey to
determine the industrys Y2K readiness.
One of FDAs actions to raise industry awareness was the January 1998
issuance of industry guidance by the Center for Biologics Evaluation and
Research (CBER) on the Y2K impact of computer systems and software
applications used in the manufacture of blood products. In addition, as
shown in table 3, FDA has issued several letters to pharmaceutical and
biological trade associations and sole-source drug manufacturers.
23 Biological products include vaccines, blood, and blood products.
Page 21 GAO/T-AIMD-99-160
Table 3: FDA Letters to Manufacturers Regarding Y2K
Date FDA source Recipient Purpose
October Center for Pharmaceutical To relay to members FDA’s
1998 Drug Evaluation manufacturer expectation that the pharmaceutical
and Research trade associations industry would (1) make resolution
of Y2K a high priority, (2) ensure
that production systems were fixed
and tested prior to January 1, 2000,
and (3) urge manufacturers to
develop Y2K contingency plans.
October Center for Biologics Same as above.
1998 Biologics manufacturer
Evaluation and trade associations
Research
January Center for Sole-source drug Same as above. Also (1) noted that
1999 Drug Evaluation manufacturers the impact of Y2K on
and Research pharmaceutical safety, efficacy, and
availability merits special attention
for firms which are the sole
manufacturers of drug components,
bulk ingredients, and finished
products, and (2) stated that
pharmaceutical industry suppliers
must have Y2K-compliant systems
to protect against disruption in the
flow of product components,
packaging materials, and
equipment to pharmaceutical
manufacturers.
Source: FDA.
Further, on February 11, 1999, FDAs director of emergency and
investigation operations sent a memorandum on FDAs interim inspection
policy for the Y2K issue to the directors of FDAs field investigations. The
policy emphasizes FDAs Y2K awareness efforts for manufacturers. It
states that FDA inspectors are to (1) inform firms of FDAs Y2K web page
(URL http://www.fda.gov/cdrh/yr2000/year2000.html ), (2) provide
firms with copies of the appropriate FDA Y2K awareness letter, (3) explain
that Y2K problems could potentially affect aspects of the firms operations,
including some areas not regulated by FDA, and that FDA anticipates that
firms will take prudent steps to ensure that they are not adversely affected
by Y2K, and (4) provide firms with a copy of FDAs compliance policy guide
Year 2000 (Y2K) Computer Compliance.
In addition, on February 22, 1999, FDA and PhRMA jointly held a
government/industry forum on the Y2K preparedness of the
Page 22 GAO/T-AIMD-99-160
pharmaceutical and biotech industries. The objectives of this forum were
to (1) share information on Y2K programs conducted by health care
providers, pharmaceutical companies, FDA, and other federal agencies,
(2) provide a vehicle for networking, and (3) raise awareness.
On March 29, 1999, FDA revised its February 11, 1999, interim inspection
policy. The revision states that field inspectors are now to inquire about
manufacturers efforts to ensure that their computer-controlled or
date-sensitive manufacturing processes and distribution systems are
Y2K compliant. Inspectors are to include this information in their reports,
along with a determination of activities that firms have completed or
started to ensure that they will be Y2K compliant.
Further, FDA inspectors may review documentation in cases in which firms
have made changes to their regulated computerized production or process
control systems to address Y2K issues. The purpose of this review is to
ensure that the changes were made in accordance with firms procedures
and applicable regulations. If inspectors determine that a firm has not
taken steps to ensure Y2K compliance, they are to notify their district
managers and the responsible FDA center.
FDAs interim policy describes steps inspectors are to take in reviewing
manufacturers Y2K compliance. However, FDA stated that the primary
focus of its inspections for the remainder of 1999 will be to ensure that
products sold in the United States are safe and effective for their intended
use and comply with federal statutes and regulations, including current
good manufacturing practice requirements. 24 FDA officials explained
that the agency does not have sufficient resources to perform both
regulatory oversight of the manufacturers and in-depth evaluations of
firms Y2K compliance activities.
Nevertheless, according to the March 29, 1999, memorandum, field
inspectors are to note, in the administrative remarks section of their
inspection reports, any concerns they may have with a firms Y2K
readiness. These reports are to be reviewed by FDA district managers.
According to FDA, if a Y2K-related concern affects the identity, strength,
quality, purity, and potency, as well as safety, effectiveness, or reliability of
a drug product, the district manager can discuss this issue with FDAs
24 These include federal standards for ensuring that products are high in quality and produced under
sanitary conditions (21 CFR parts 210, 211).
Page 23 GAO/T-AIMD-99-160
Office of Regulatory Affairs and determine a course of action, including
product correction or removal.
Like VHA, FDA is interested in the impact of Y2K readiness of
pharmaceutical and biological products on the availability of products for
health care facilities and individual patients. FDAs Acting Deputy
Commissioner for Policy informed us on March 24, 1999, that the agency is
thinking about surveying pharmaceutical and biological products
manufacturers, distributors, product repackagers, and others in the drug
dispensing chain, on their Y2K readiness and contingency planning. In
anticipation of a possible survey, the agency published a notice in the
March 22, 1999, Federal Register , regarding this matter. The Acting Deputy
Commissioner said that potential survey questions on contingency
planning would include steps the manufacturers are taking to ensure an
adequate supply of bulk manufacturing materials from overseas suppliers.
This is a key issue because, as we reported in March 1998, 25 according to
FDA, as much as 80 percent of the bulk pharmaceutical chemicals used by
U.S. manufacturers to produce prescription drugs is imported.
In summary, HCFA and its contractors have made progress in addressing
Medicare Y2K issues that we have raised. However, until HCFA completes
its planned recertification between July and November, the final status of
the agencys Y2K compliance will be unknown. Given the considerable
amount of remaining work that HCFA faces, it is crucial that development
and testing of HCFAs business continuity and contingency plans move
forward rapidly to avoid the interruption of Medicare claims processing
next year. Also, because many states Medicaid systems are at risk,
business continuity and contingency plans will become increasingly critical
for these states in an effort to ensure continued timely and accurate
delivery of benefits to needy Americans.
Regarding the health sector overall, while additional readiness information
is available, much work remains in renovating, testing, and implementing
compliant systems. Aggressive action is needed in obtaining information
on the Y2K readiness of hospitals, physicians, Medicare providers, and
public health agencies. Until this information is obtained and publicized,
consumers will remain in doubt as to the Y2K readiness of key health care
25 Food and Drug Administration: Improvements Needed in the Foreign Drug Inspection Program
(GAO/HEHS-98-21, March 17, 1998).
Page 24 GAO/T-AIMD-99-160
components. In addition, while compliance status information is available
for biomedical equipment through the FDA clearinghouse, FDA has not
reviewed test results supporting manufacturers certifications; such review
would provide the American public with a higher level of confidence that
biomedical equipment will work as intended. The public also needs
readiness information on specific pharmaceutical manufacturers to
address concerns about the stockpiling of drugs and medications.
Messrs. Chairmen, this concludes my statement. I would be pleased to
respond to any questions that you or other members of the Subcommittees
may have at this time.
(511754) Leter Page 25 GAO/T-AIMD-99-160
Ordering Information
The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.
Orders by mail:
U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013
or visit:
Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC
Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.
Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.
For information on how to access GAO reports on the INTERNET,
send an e-mail message with info in the body to:
info@www.gao.gov
or visit GAOs World Wide Web Home Page at:
http://www.gao.gov
United States Bulk Mail
General Accounting Office Postage & Fees Paid
Washington, D.C. 20548-0001 GAO
Permit No. GI00
Official Business
Penalty for Private Use $300
Address Correction Requested